Leave a Comment

The first steps I normally perform are updating the packages and upgrading current packages to make sure everything that's default is up to date.

sudo apt-get update \
&& sudo apt-get -y upgrade

Once that's done, I'll handle setting up a new user, add them to the sudo group, and test that the user is able to actually use sudo to escalate and run commands that would otherwise require root.

If all is well there, then I'll setup firewall rules. Since you're using Ubuntu, this is super easy. We can use ufw and ultimately, we would setup a default policy to deny any connection that we don't allow through with rules we'll add afterwards.

We're using /tcp to define the connection type. This means that we only want to allow connections on these ports using TCP (not UDP).

Beyond SSH, HTTP, and HTTPS, you would also need to add any rules to cope with connections on other public ports. So, for example, if you needed remote database access to MySQL, you'd have to open that port up as it'd be blocked with just the above rules in place.

Once all rules are set, we then need to enable the firewall.

sudo ufw enable

It'll ask you if you really want to enable and that enabling may cause your current connection to drop. Type y and hit enter. As long as SSH has been setup (as shown above), the connection won't drop.

Beyond a Firewall, there's also fail2ban, which is useful. Setting it up requires a little more, though it's definitely something to consider.

I would also make sure directory and file permissions are properly setup -- that is, files should have a chmod of 644 and directories 755. Also, proper ownership of files and directories should be set as you don't want public files being served by the root user. I even tend to go a step further and only serve files and directories from a non-root, non-sudo user. Just a basic, unprivileged, non-shell user that can't do anything other than own files and directories.